<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
Andy !<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Here is one of the ways to get this to work:-<br><pre>server ipsec.conf:<br>version 2.0     # conforms to second version of ipsec.conf specification<br># basic configuration<br>config setup<br>        protostack=netkey<br>        nat_traversal=yes<br>        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24<br> <br>conn road<br>        authby=secret<br>        pfs=no<br>        rekey=no<br>        keyingtries=3<br> <br>        left=%defaultroute<br>        leftsubnet=192.168.1.0/24<br>        leftprotoport=17/%any<br>        <b>leftid=209.240.239.188</b> # Add a connection identifier for server<br> <br>        right=%any<br>        rightprotoport=17/%any<br>        <b>rightid=@myRW01 </b># Add a connection identifier for the client<br> <br>        auto=add<br> <br>client ipsec.conf:<br>version 2.0     # conforms to second version of ipsec.conf specification<br># basic configuration<br>config setup<br>        protostack=netkey<br>        nat_traversal=yes<br>        virtual_private=%v4:192.168.0.0/16<br> <br>conn WFC<br>        authby=secret<br>        pfs=no<br>        rekey=yes<br>        keyingtries=3<br>        type=transport<br> <br>        left=192.168.0.3<br>        leftprotoport=17/1701<br>        <b>leftid=@myRW01 </b># Add connection identifier for the client<br> <br>        right=209.240.239.188<br>        rightsubnet=192.168.1.0/24<br>        rightprotoport=17/1701<br>        <br>        <br> <br>        auto=add</pre><b>Changes to /etc/ipsec.secrets file on the server<br><br>@myRW01 209.240.239.188 : PSK "somesecretphrase01"<br>@myRW01 192.168.1.2 : PSK "somesecretphrase01"<br></b><br>&nbsp;&nbsp;&nbsp;&nbsp; Hope that helps !<br><br><span style="font-family: Tahoma,Helvetica,Sans-Serif; font-style: italic; font-weight: bold;">-<span style="font-family: Times New Roman,Times,Serif;"> Simon Charles - </span></span><br><br><br><br><br>&gt; Date: Mon, 26 Jan 2009 19:11:21 -0600<br>&gt; From: gohanman@gmail.com<br>&gt; To: users@openswan.org<br>&gt; Subject: [Openswan Users] NAT on both sides<br>&gt; <br>&gt; I'm trying to set up a connection with both ends behind NAT. I must be<br>&gt; missing something because I just cannot get it to work. Set up is like<br>&gt; this:<br>&gt; <br>&gt; openswan server 192.168.1.2<br>&gt; router 1.2.3.4<br>&gt; (internet)<br>&gt; router w/ dynamic ip<br>&gt; openswan client 192.168.0.3<br>&gt; <br>&gt; The router at 1.2.3.4 is passing IP 50, UDP 500, and UDP 4500 to 192.168.1.2<br>&gt; <br>&gt; server ipsec.conf:<br>&gt; version 2.0     # conforms to second version of ipsec.conf specification<br>&gt; # basic configuration<br>&gt; config setup<br>&gt;         protostack=netkey<br>&gt;         nat_traversal=yes<br>&gt;         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24<br>&gt; <br>&gt; conn road<br>&gt;         authby=secret<br>&gt;         pfs=no<br>&gt;         rekey=no<br>&gt;         keyingtries=3<br>&gt; <br>&gt;         left=%defaultroute<br>&gt;         leftsubnet=192.168.1.0/24<br>&gt;         leftprotoport=17/%any<br>&gt; <br>&gt;         right=%any<br>&gt;         rightprotoport=17/%any<br>&gt; <br>&gt;         auto=add<br>&gt; <br>&gt; client ipsec.conf:<br>&gt; version 2.0     # conforms to second version of ipsec.conf specification<br>&gt; # basic configuration<br>&gt; config setup<br>&gt;         protostack=netkey<br>&gt;         nat_traversal=yes<br>&gt;         virtual_private=%v4:192.168.0.0/16<br>&gt; <br>&gt; conn WFC<br>&gt;         authby=secret<br>&gt;         pfs=no<br>&gt;         rekey=yes<br>&gt;         keyingtries=3<br>&gt;         type=transport<br>&gt; <br>&gt;         left=192.168.0.3<br>&gt;         leftprotoport=17/1701<br>&gt; <br>&gt;         right=209.240.239.188<br>&gt;         rightsubnet=192.168.1.0/24<br>&gt;         rightprotoport=17/1701<br>&gt; <br>&gt;         auto=add<br>&gt; <br>&gt; As given, when I try to bring up the connection from the client side I get this:<br>&gt; 003 "WFC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):<br>&gt; both are NATed<br>&gt; 108 "WFC" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>&gt; 003 "WFC" #1: received Vendor ID payload [CAN-IKEv2]<br>&gt; 003 "WFC" #1: we require peer to have ID '209.240.239.188', but peer<br>&gt; declares '192.168.1.2'<br>&gt; 218 "WFC" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION<br>&gt; <br>&gt; So both NATs are recognized, but it still objects to the IP mismatch.<br>&gt; <br>&gt; If I add rightid=192.168.1.2 to the client's ipsec.conf, I get this<br>&gt; error on the server side:<br>&gt; Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4:<br>&gt; STATE_MAIN_R3: sent MR3, ISAKMP SA established<br>&gt; {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha<br>&gt; group=modp2048}<br>&gt; Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: the peer<br>&gt; proposed: 192.168.1.0/24:17/0 -&gt; 192.168.0.3/32:17/0<br>&gt; Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: cannot<br>&gt; respond to IPsec SA request because no connection is known for<br>&gt; 192.168.1.0/24===192.168.1.2[+S=C]:17/%any...68.112.168.88[192.168.0.3,+S=C]:17/%any===192.168.0.3/32<br>&gt; Jan 26 19:04:44 key pluto[15093]: "road"[2] 68.112.168.88 #4: sending<br>&gt; encrypted notification INVALID_ID_INFORMATION to 68.112.168.88:4500<br>&gt; <br>&gt; I'm honestly not sure if that's any closer. I tried specifying ids on<br>&gt; both ends with @ notation, but that gives the same error as using<br>&gt; rightid=192.168.1.2 (except with ids listed in the error).<br>&gt; _______________________________________________<br>&gt; Users@openswan.org<br>&gt; http://lists.openswan.org/mailman/listinfo/users<br>&gt; Building and Integrating Virtual Private Networks with Openswan: <br>&gt; http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></body>
</html>